Order Code RL31547
Report for Congress
Received through the CRS Web
Critical Infrastructure Information
Disclosure and Homeland Security
Updated August 31, 2002
John D. Moteff
Specialist in Science and Technology Policy
Resources, Science and Industry Division
Gina Marie Stevens
Legislative Attorney
American Law Division
Congressional Research Service ˜ The Library of Congress
Critical Infrastructure Information Disclosure and
Homeland Security
Summary
Critical infrastructures have been defined as those systems and assets so vital
to the United States that the incapacity of such systems and assets would have a
debilitating impact on the United States. One of the findings of the President’s
Commission on Critical Infrastructure Protection, established by President Clinton
in 1996, was the need for the federal government and owners and operators of the
nation’s critical infrastructures to share information on vulnerabilities and threats.
However, the Commission noted that owners and operators are reluctant to share
confidential business information, and the government is reluctant to share
information that might compromise intelligence sources or investigations. Among
the strategies to help owners and operators share information with the federal
government was a proposal to exempt the information they share from disclosure
under the Freedom of Information Act (FOIA).
The Freedom of Information Act (FOIA) was passed to ensure by statute citizen
access to government information. Nine categories of information may be exempted
from disclosure. Three of the nine exemptions provide possible protection against
the release of critical infrastructure information: exemption 1 (national security
information); exemption 3 (information exempted by statute); and exemption 4
(confidential business information). Congress has considered several proposals to
exempt critical infrastructure information from the FOIA. Generally, the legislation
has either created an exemption 3 statute, or codified the standard adopted by the
D.C. Circuit in exemption 4 cases.
Both the House and Senate bills, H.R. 5005 and S. 2452, that would establish
the new Department, include a FOIA exemption. Significant differences exist
between the bills regarding the scope of the information protection; the type of
information covered and exempted from FOIA; the other purposes authorized for
use or disclosure of the information; the disclosure of information with the consent
of the submitter; the permissibility of disclosures of related information by other
agencies; immunity from civil liability; preemption; and criminal penalties.
Some question the necessity of a FOIA exemption. Public interest groups argue
that the language in the House bill is far too broad and would allow a wide range of
information to be protected from disclosure (including information previously
available under FOIA), and that existing FOIA exemptions and case law provide
sufficient protections. They tend to favor the more limited protections proposed in
the Senate bill. Public interest groups are also concerned that the provision which
bars use of the protected information in civil actions in the House bill would shield
owners and operators from liability under antitrust, tort, tax, civil rights,
environmental, labor, consumer protection, and health and safety laws. Owners and
operators of critical infrastructures insist that the current law does not provide the
certainty of protection needed to protect their information. While they view the
Senate bill as a workable compromise, they hope to gain some of the additional
protections proposed in the House bill. This report will be updated.
Contents
Introduction and Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Freedom of Information Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
FOIA Exemption 1 – National Security Information . . . . . . . . . . . . . . . . . . 5
FOIA Exemption 3 – Information Exempt by Statute . . . . . . . . . . . . . . . . . . 7
FOIA Exemption 4 – Confidential Business Information . . . . . . . . . . . . . . . 7
Legislative Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
FOIA Exemption in the Administration’s Proposal for
Homeland Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
FOIA Exemptions in Homeland Security Proposals . . . . . . . . . . . . . . . . . . 11
H.R. 5005, Title VII, Subtitle C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
S. 2452, Section 198 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Issues and Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
The authors wish to thank Morton Rosenberg and Linda-Jo Shierow of the Congressional
Research Service for their contributions to this report.
Critical Infrastructure Information Disclosure
and Homeland Security
Introduction and Background
Certain socio-economic activities are vital to the day-to-day functioning and
security of the country; for example, transportation of goods and people,
communications, banking and finance, and the supply of electricity and water. These
activities and services have been referred to as components of the nation’s critical
infrastructure. Domestic security and our ability to monitor, deter, and respond to
outside hostile acts also depend on some of these activities as well as other more
specialized activities like intelligence gathering, law enforcement, and military
forces. Serious disruption in these activities and capabilities could have a major
impact on the country’s well-being.
In July 1996, President Clinton established the President’s Commission on
Critical Infrastructure Protection (PCCIP).1 The Commission was tasked with
assessing the vulnerabilities of the country’s critical infrastructures and proposing
a strategy for protecting them. In its final 1997 report,2 the Commission stated that
the “...two-way sharing [of] information is indispensable to infrastructure assurance,”
and that “increasing the sharing of strategic information within each infrastructure,
across different sectors, and between sectors and the government will greatly assist
efforts of owners and operators to identify their vulnerabilities and acquire tools
needed for protection.” According to the Commission, the exchange of information
is also necessary to develop an analytic capability to examine information about
incidents, vulnerabilities, and other intelligence information to determine whether
events are related and can be used possibly to recognize or predict an attack.
The Commission also noted that there is a reluctance on the part of the private
sector and the government to share information related to vulnerabilities or incidents
needed to plan for and effect adequate protections. The private sector is reluctant to
submit information to the government related to vulnerabilities or incidents that
might damage its reputation, weaken its competitive position, lead to costly
investigations, be used inappropriately, or expose it to liability as a result of
disclosure by the government of confidential business information. The government
is reluctant to disclose threat information that might compromise intelligence
activities or investigations.
1 Executive Order 13010—Critical Infrastructure Protection. Federal Register, July 17,
1996. Vol. 61, No. 138. pp. 37347-37350.
2 Critical Foundations: Protecting America’s Infrastructures. The Report of the President’s
Commission on Critical Infrastructure Protection. Washington, D.C. October, 1997.
CRS-2
The first objective of the Commission’s recommended Strategy for Action was
to promote a partnership between government and infrastructure owners and
operators that would increase the sharing of information relating to infrastructure
threats, vulnerabilities, and interdependencies. The Commission proposed
developing an Information Sharing and Analysis Center (ISAC) that would consist
of government and private sector representatives working together to receive
information from all sources, analyze it, draw conclusions about vulnerabilities or
incidents within the infrastructures, and inform government and private sector users.
It also recognized that, in order to facilitate the exchange of information, the private
sector would need assurances that its confidential information would be protected.
The Commission noted that this might require that a legal vehicle be established
within the critical infrastructure information sharing mechanism that would protect
confidential information, and examined the ramifications of different approaches and
strategies related to the federal government’s protection of private sector
information. It briefly discussed some pros and cons associated with the creation of
a FOIA exemption 3 statute for critical infrastructure information. Under exemption
3 of the Freedom of Information Act (FOIA), 5 U.S.C. 552 et seq., information
protected from disclosure under other statutes is also exempt from public disclosure
under FOIA.3
In response to the Commission’s report, President Clinton released Presidential
Decision Directive No. 63 (PDD-63).4 The Directive instructed the National
Coordinator for Security, Infrastructure Protection and Counter-Terrorism and other
government officials to consult with private sector owners and operators of critical
infrastructures, and encourage the creation of a private sector information analysis
and sharing center as envisaged by the PCCIP. Although the Directive did not
address FOIA explicitly, it did direct the National Coordinator to undertake studies
to examine: liability issues arising from participation by private sector companies in
the information sharing process; existing legislative impediments to information
sharing with an eye toward removing those impediments; and the improved
protection, including secure dissemination of industry trade secrets, of other
confidential business data, law enforcement information and evidentiary material,
classified national security information, unclassified material disclosing
vulnerabilities of privately owned infrastructures and apparently innocuous
information that, in the aggregate, would be imprudent to disclose. The Clinton
Administration, however, never adopted a formal position on the desirability of an
exemption to FOIA or the necessity for any additional confidentiality protections.
In connection with the implementation of PDD-63, a number of industrial
sectors which own and/or operate critical infrastructures formed ISACs, and entered
into arrangements with the federal government to share information. However, the
General Accounting Office reported in April 2001, that very little or no formalized
3 Exemption 3 exempts from disclosure information specifically exempted by statute, as
long as the statute leaves no discretion on disclosure and that the statute specifies particular
criteria for withholding or refers to particular types of matters to be withheld. 5 U.S.C. §
552(b)(3). See the next section of this report for further discussion.
4 The White House, Protecting America’s Critical Infrastructures: Presidential Decision
Directive 63 (May 1998). Available at [http://www.ciao.gov/resource/paper598.pdf].
CRS-3
flow of information has occurred from the private sector to the federal government.5
According to the Director of the National Infrastructure Protection Center, the
organization with which industry is to share information, one of the reasons for this
is the uncertainty regarding FOIA exemptions.6 Similarly, the Partnership for
Critical Infrastructure Security, a cross-industry group formed to facilitate
communication among industry sectors, has stated that it is not clear that any of the
existing FOIA exemptions provide the certainty of protection that many companies
require before disclosing threat and vulnerability information to the government.7
In the 106th Congress, both H.R. 4246 (Davis/Moran) and S. 3188 (Kyl)
included an exemption from FOIA for cyber security information voluntarily
provided to the federal government, and prohibited the information from being used,
by either the federal government or a third party, in any civil action.8 Neither bill
was reported out of committee.
During the 107th Congress, two bills were introduced with many of the same
provisions: H.R. 2435 (Davis) and S. 1456 (Bennett/Kyl) would exempt information
voluntarily submitted to the federal government in connection with critical
infrastructure protection from FOIA,9 and provide protection against civil action.
Both bills remain in committee. In an effort to reconcile the two bills, S. 1456 was
modified, taking some of the House language. The rewritten bill, however, was
never introduced. The Bush Administration offered qualified support for both bills.10
In President Bush’s proposal to establish a new Department of Homeland Security,
part of which proposes establishing a critical infrastructure protection function, a
FOIA exemption was included for information held by the Department.
Subsequently, both the House and Senate bills, H.R. 5005 and S. 2452, that would
establish the new Department, narrowed the FOIA exemption to cover only
information regarding critical infrastructure vulnerabilities and threats. The House
passed H.R. 5005 on July 27, 2002. S. 2452 is scheduled for floor consideration
September 3, 2002.
5 Critical Infrastructure Protection. Significant Challenges in Developing National
Capabilities. United States General Accounting Office. GAO-01-323. April 2001. See
Chapter 4.
6 Id. Appendix 1, p.99. It should be noted that, according to the GAO, another reason the
private sector has not shared information with the government is the lack of agreement on
what type of information is needed.
7 Partnership for Critical Infrastructure Protection. Working Group 3. Public Policy White
Paper. p. 5. Available at [http://www.pcis.org/WG3/WG-3_Public_Policy_WP.pdf].
8 See CRS Report RL30153, Critical Infrastructures: Background and Early Implementation
of PDD-63.
9 The Senate bill expanded the type of information to be protected to include information
related to the physical security of critical infrastructures, referring to protected information
as “critical infrastructure information,” specified the agencies covered by the legislation, and
prescribed how the information may be used.
10 White House Official Outlines Cyber Security Initiatives. Maureen Sirhal. National
Journal’s Technology Daily. January 25, 2002.
CRS-4
For information on the homeland security proposals, See CRS Report RL31513,
Homeland Security: Side-By-Side Comparison of H.R. 5005 and S. 2452, 107th
Congress.
Freedom of Information Act
In 1966, during floor debate on passage of the Freedom of Information Act
(FOIA),11 Representative Rumsfield quoted James Madison when he said,
Knowledge will forever govern ignorance. And a people who mean to be
their own governors, must arm themselves with the power knowledge
gives. A popular government without popular information or the means
of acquiring it, is but a prologue to a farce or a tragedy, or perhaps both.12
As Congress debates homeland security legislation in 2002, the sentiments expressed
by Madison in 1822 are prescient today. The populace desires knowledge about the
activities of its government in order to ensure accountability and oversight. The
government desires information from owners and operators of critical infrastructures
in order to protect persons and assets in the war on terrorism. The terrorist attacks
of September 11 have prompted a reevaluation of how to balance public access to
information with the need for safety and security.
The federal government, since its beginnings, has delegated to agency heads the
basic authority to control the papers and documents of their departments. Through
the Housekeeping Statute of 1789, federal agencies have kept control of the
disclosure of their files.13 The Administrative Procedure Act (APA) of 1946 had a
slight impact upon departmental control of agency information.14 Instances were
documented, however, where both the Housekeeping Statute and the Administrative
Procedure Act had been used as excuses for withholding information, and concern
mounted that the APA had become a loophole for agency secrecy permitting agency
heads to exercise broad, unrestrained powers of a discretionary nature. The
Housekeeping Statute was amended to clarify that it does not authorize withholding
information from the public or limiting the availability of records to the public. The
amendment of the Housekeeping Statute did not produce the results sought by
advocates of greater public access to public information. The House Government
Information Subcommittee proposed a freedom of information bill that created a
right of any person to use the courts to enforce the right of access to federal
information. Although the proposal was well received by the press, federal agencies
were resistant. The Senate passed S. 1160 in 1965, the House in 1966, and the
11 5 U.S.C. § 552 et seq.
12 James Madison, 1822, quoted by Rep. Rumsfeld in House debate on passage of Freedom
of Information Act, 114 Cong. Rec. 13, 654 (1966).
13 “The head of an Executive department or military department may prescribe regulations
for the government of his department, the conduct of its employees, the distribution and
performance of its business, and the custody, use, and preservation of its records, papers, and
property. This section does not authorize withholding information from the public or limiting
the availability of records to the public.” 5 U.S.C. § 301.
14 60 Stat. 238.
CRS-5
Freedom of Information Act (FOIA) was signed into law by President Johnson on
July 4, 1966. The FOIA was subsequently amended in 1974, 1986, and 1996 for
several reasons: ambiguity in the text and legislative history; agency and
Department of Justice resistance to broader disclosure; increased oversight by
Congress; court interpretations of the statute and its procedural requirements and
exemptions; time delays by agencies in responding to requests for access to
information and delaying tactics by agencies in litigation; to clarify the scope of the
exemptions in response to Supreme Court decisions interpreting the Act’s provisions;
and to accommodate technological advances related to the methods prescribed for
public access.
The purpose of the Freedom of Information Act (FOIA) was to ensure by statute
citizen access to government information. The FOIA establishes for any
person—corporate or individual, regardless of nationality—presumptive access to
existing, unpublished agency records on any topic. The law specifies nine categories
of information that may be exempted from the rule of disclosure. The exemptions
permit, rather than require, the withholding of the requested information. Records
which are not exempt under one or more of the Act’s nine exemptions must be made
available. If a record has some exempt material, the Act provides that any
reasonably segregable portion of the record must be provided to any person
requesting such record after deletion of the portions which are exempt. Disputes
over the accessibility of requested records may be reviewed in federal court. Fees for
search, review, or copying of materials may be imposed; also, for some types of
requesters, fees may be reduced or waived. The FOIA was amended in 1996 to
provide for public access to information in an electronic form or format. In 2001,
agency annual reports indicated that they received approximately 1.9 million FOIA
requests.
With respect to the Freedom of Information Act, three of the nine exemptions
from public disclosure provide possible protections against the release of homeland
security and critical infrastructure information: exemption 1 (national security
information), exemption 3 (information exempted by statute), and exemption 4
(confidential business information).15
FOIA Exemption 1 – National Security Information
Exemption 1 of the FOIA protects from disclosure national security information
concerning the national defense or foreign policy, provided that it has been properly
classified in accordance with the substantive and procedural requirements of an
executive order.16 As of October 14, 1995, the executive order in effect is Executive
Order 12,958 issued by President Clinton ( and amended in 1999 by Executive Order
13,142).17 Section 1.5 of the order specifies the types of information that may be
considered for classification: military plans, weapons systems, or operations; foreign
government information; intelligence activities, sources or methods, or cryptology;
foreign relations or foreign activities, including confidential sources; scientific,
15 See 5 U.S.C. § 552(b).
16 5 U.S.C. § 552(b)(1).
17 3 C.F.R. 333 (1996), reprinted in 50 U.S.C. § 435 note.
CRS-6
technological, or economic matters relating to national security; U.S. government
programs for safeguarding nuclear materials and facilities; or vulnerabilities or
capabilities of systems, installations, projects, or plans relating to national security.
The categories of information that may be classified seemingly appear broad enough
to include homeland security information concerning critical infrastructures. Under
E.O. 12,958 information may not be classified unless “its disclosure reasonably
could be expected to cause damage to the national security.”18
On March 19, 2002, the White House Chief of Staff issued a directive to the
heads of all federal agencies addressing the need to protect information concerning
weapons of mass destruction and other sensitive homeland security-related
information.19 The implementing guidance for the directive concerns sensitive
homeland security information that is currently classified, and previously
unclassified or declassified information.20 The guidance provides that with respect
to such information currently classified, the classified status of such information
should be maintained in accordance with Executive Order 12,958. This includes
extending the duration of classification as well as exempting such information from
automatic declassification as appropriate. With respect to previously unclassified or
declassified information concerning weapons of mass destruction and other sensitive
homeland security-related information, the implementing guidance provides that, to
the extent it has never been publicly disclosed under proper authority, it may be
classified or reclassified pursuant to Executive Order 12,958. If the information has
been subject to a previous request for access, such as a FOIA request, classification
or reclassification is subject to the special requirements of the executive order.
Section 792 of H.R. 5005, the Homeland Security Act of 2002, as passed by the
House on July 27, 2002, directs the President to prescribe and implement procedures
applicable to all federal agencies to share relevant, appropriate homeland security
information among federal agencies, including the Department of Homeland
Security, and with appropriate state and local personnel; to identify and safeguard
sensitive, unclassified homeland security information; to determine whether, how,
and to what extent to remove classified homeland security information, and to
determine with whom such homeland security information should be shared after
such classified information is removed. H.R. 5005 specifically states that the
substantive requirements for classification are not changed. S. 2452, agreed to by the
Senate Governmental Affairs Committee on July 25, 2002, does not have a parallel
provision.
18 Exec. Order No. 12.958, § 1.2(a)(4).
19 See White House Memorandum for Heads of Executive Departments and Agencies
Concerning Safeguarding Information Regarding Weapons of Mass Destruction and Other
Sensitive Documents Related to Homeland Security (Mar. 19, 2002); reprinted in FOIA Post
(posted 3/21/02).
20 See Memorandum from Acting Director of Information Security Oversight Office and Co-
Directors of Office of Information and Privacy to Departments and Agencies (March 31,
2002); reprinted in FOIA Post (posted 3/21/02).
CRS-7
FOIA Exemption 3 – Information Exempt by Statute
Under exemption 3 of the FOIA, information protected from disclosure under
other statutes is also exempt from public disclosure.21 Exemption 3 provides that the
FOIA does not apply to matters that are:
specifically exempted from disclosure by statute . . . provided that such
statute (A) requires that the matters be withheld from the public in such a
manner as to leave no discretion on the issue, or (B) establishes particular
criteria for withholding or refers to particular types of matters to be
withheld.22
Exemption 3 allows the withholding of information prohibited from disclosure by
another statute only if the other statute meets any one of the three criteria: (1) it
requires that the records be withheld (i.e., no agency discretion); (2) grants discretion
on whether to withhold but provides specific criteria to guide the exercise of that
discretion; or (3) describes with sufficient specificity the types of records to be
withheld. To support an exemption 3 claim, the information requested must fit
within a category of information that the statute authorizes to be withheld. As with
all FOIA exemptions, the government bears the burden of proving that requested
records are properly withheld. Numerous statutes have been held to qualify as
exemption 3 statutes under the exemption’s first subpart – statutes that require
information to be withheld and leave the agency no discretion. Several statutes have
failed to qualify under exemption 3 because too much discretion was vested in the
agency, or because the statute lacked specificity regarding the records to be
withheld.23 Unlike other FOIA exemptions, if the information requested under FOIA
meets the withholding criteria of exemption 3, the information must be withheld.
Congress has considered a number of proposals that address the disclosure
under FOIA of cyber security information, of information maintained by the
Department of Homeland Security, and of critical infrastructure information
voluntarily submitted to the Department of Homeland Security. Generally, the
legislation has specifically exempted the covered information from disclosure under
FOIA, in effect creating an exemption 3 statute for purposes of FOIA.
FOIA Exemption 4 – Confidential Business Information
Exemption 4 of FOIA exempts from disclosure “trade secrets and commercial
or financial information obtained from a person and privileged or confidential.”24
The latter category of information (commercial information that is privileged or
confidential) is relevant to the issue of the federal government’s protection of private
sector critical infrastructures information. To fall within this second category of
21 5 U.S.C. § 552(b)(3).
22 5 U.S.C. § 552(b)(3).
23 See CRS Congressional Distribution Memorandum, American Law Division, Freedom of
Information Act: Statutes Invoked under Exemption 3 (July 11, 2002)
24 5 U.S.C. § 552(b)(4).
CRS-8
exemption 4, the information must satisfy three criteria. It must be: a) commercial
or financial; b) obtained from a person; and c) confidential or privileged. The D.C.
Circuit has held that the terms “commercial or financial” should be given their
ordinary meaning, and that records are commercial if the submitter has a
“commercial interest” in them.25 The second criteria, “obtained from a person,”
refers to a wide range of entities.26 However, information generated by the federal
government is not “obtained from a person,” and as a result is excluded from
exemption 4's coverage.27
Most exemption 4 cases have involved a dispute over whether the information
was “confidential.” In 1974, the D.C. Circuit in National Parks and Conservation
Association v. Morton, held that the test for confidentiality was an objective one.28
It held that neither the fact that a submitter would not customarily make the
information public, nor an agency’s promises of confidentiality were enough to
justify confidentiality. National Parks enunciated a two-part test: commercial
information is confidential “if disclosure of the information is likely to have either
of the following effects: (1) to impair the government’s ability to obtain necessary
information in the future; or (2) to cause substantial harm to the competitive position
of the person from whom the information was obtained.”29 These criteria are
commonly referred to as Test 1 and Test 2.30
In 1992, in Critical Mass Energy Project v. NRC,31 after examining arguments
in favor of overturning National Parks, the D.C. Circuit reaffirmed application of the
National Parks test based on the principle of stare decisis – which counsels against
overruling established precedent. The plaintiff was seeking reports which a utility
industry group prepared and gave voluntarily to the NRC. The agency did, however,
have the authority to compel submission. The full Circuit Court of Appeals clarified
the scope and application of the National Parks test. The court limited its
application “to the category of cases to which [they were] first applied; namely those
in which a FOIA request is made for commercial or financial information a person
was obliged to furnish to the Government.”32 The court established a new test for
25 Public Citizen Health Research Group v. FDA, 704 F.2d 1280, 1290 (D.C. Cir. 1983).
26 See, Nadler v. FDIC, 92 F.3d 93, 95 (2d Cir. 1996)(term “person” includes “individual,
partnership, corporation, association, or public or private organization other than an agency”
(quoting definition found in Administrative Procedure Act, 5 U.S.C. § 551(2)).
27 See, Allnet Communications Servs. v. FCC, 800 F. Supp. 984, 988 (D.D.C. 1992).
28 498 F.2d 765 (D.C. Cir. 1974).
29 Id. at 770.
30 See also, Niagara Power Corp. v. United States Department of Energy, 169 F.3d 16 (D.C.
Cir. 1999)(court held that material fact existed as to whether disclosure of fuel consumption
and power generation figures provided pursuant to statute would impair agency’s ability to
collect information, and whether disclosure was likely to cause plants substantial harm).
31 975 F.2d 871, 879-80 (D.C. Cir. 1992)(en banc)(“Critical Mass II”), cert. denied, 113 S.
Ct. 1579 (1993).
32 Id. at 880.
CRS-9
confidentiality when the information is submitted voluntarily;33 the information is
exempt from disclosure if the submitter can show that it does not customarily release
the information to the public.34 Under the Critical Mass decision, one standard (the
traditional National Parks tests) applies to any information that a submitter “is
required to supply,” while a broader exemption 4 standard (a new “customary
treatment” test) applies to any information that is submitted to an agency on a
voluntary basis. The burden of establishing the submitter’s custom remains with the
agency seeking to withhold the records. Applying the customary treatment test to
the information at issue (utility industry group reports voluntarily submitted), the
D.C. Circuit agreed with the district court’s conclusion that the reports were
commercial; that they were provided to the agency on a voluntary basis; and that the
submitter did not customarily release them to the public. Thus, the reports were
found to be confidential and exempt from disclosure under exemption 4.
The key issue raised by Critical Mass is the distinction between “required” and
“voluntary” information submissions. In its decision, the court did not expressly
define the two terms. The Department of Justice has issued policy guidance on the
distinction between information required and information voluntarily submitted
under Critical Mass, and has taken the position that the submission of records in
instances such as the bidding on government contracts is mandatory rather than
voluntary.35 The basic principles developed by the Justice Department are that a
submitter’s voluntary participation in an activity does not determine whether any
information submission made in connection with that activity is “voluntary;” that
Critical Mass determinations should be made according to the circumstances of
information submission; that information submissions can be “required” by a range
of legal authorities, including informal mandates that call for the submission of
information as a condition of dealing with the government or of obtaining a
government benefit; and that the existence of agency authority to require an
information submission does not automatically mean that the submission is
“required.”36 The decision in Critical Mass has generated a great deal of
commentary.37 In addition, there are many cases where courts have applied the
Critical Mass distinction between voluntary and required submissions.38
33 With respect to critical infrastructure information, the federal government seeks to ensure
that it is able to obtain the information from the private sector on a voluntary basis.
34 Id. at 879.
35 See FOIA Update, Vol. XIV, No. 2, at 3-5 (“OIP Guidance: The Critical Mass Distinction
Under Exemption 4").
36 Id.
37 See, e.g., Rocco J. Maffei, The Impact of FOIA after Critical Mass, 22 Pub. Cont. L. J. 757
(1993); G. Branch Taylor, The Critical Mass Decision: A Dangerous Blow to Exemption 4
Litigation, 2 CommLaw Conspectus 133 (1994).
38 See, e.g.., Lykes v. Bros. S.S. v. Pena, No. 92-2780, slip op. at 8-11 (D.D.C. Sept. 2,
1993)(“under Critical Mass, submissions that are required to realize the benefits of a
voluntary program are to be considered mandatory”); Lee v. FDIC, 923 F. Supp. 451, 454
(S.D.N.Y. 1996)(when documents were “required to be submitted” in order to get
government approval to merge two banks, court rejects agency’s attempt to nonetheless
characterize submission as “voluntary”); AGS Computers, Inc. v. United States Dep’t of
(continued...)
CRS-10
Nonetheless, the Critical Mass voluntary vs. required standard has not been widely
adopted by the other circuits that have endorsed the National Parks test.
Executive Order 12,600 (Predisclosure Notification Procedures for
Confidential Commercial Information), issued in 1987, requires each federal agency
to establish procedures to notify submitters of confidential commercial information
whenever an agency “determines that it may be required to disclose” such
information under the FOIA.39 The submitter is provided an opportunity to submit
objections to the proposed disclosure.40 If the agency decides to release the
information over the objections of the submitter, the submitter may seek judicial
review of the propriety of the release, and the courts will entertain a “reverse FOIA”
suit to consider the confidentiality rights of the submitter.41
Another area of concern under exemption 4 jurisprudence is the so-called
mosaic effect which recognizes that an individual piece of information, which in and
of itself may not qualify as confidential business information, may be combined with
other information to cause substantial competitive harm. Private information
hawkers routinely engage in the business of assembling all of the pieces of
information. Courts have applied the mosaic effect to prevent the disclosure of
confidential business information.42
As previously noted with regard to critical infrastructure information, the
federal government seeks to ensure that it is able to obtain information from the
private sector on a voluntary basis. S. 2452, the National Homeland Security and
Combating Terrorism Act of 2002, essentially codifies the voluntary/required rule
from the D.C. Circuit’s decision in Critical Mass v. NRC, and applies it to critical
infrastructure information voluntarily submitted by the private sector, and not
customarily available to the public, to the new Department of Homeland Security.
Codification of the Critical Mass standard could eliminate differences in treatment
in the federal courts of confidential business information related to critical
infrastructure.
38 (...continued)
Treasury, No. 92-2714, slip op. at 10 (D.N.J. Sept. 16, 1993)(submitter’s submission of
documents to agency during a meeting was done voluntarily because there was no
“controlling statute, regulation, or written order”); Center for Auto Safety v. National
Highway Traffic Safety Admin., 93 F. Supp.2d 1 (D.D.C. Feb. 28, 2000), remanded by
Center for Auto Safety v. National Highway Traffic Safety Admin., 244 F.3d 144 (D.C.Cir.
Mar. 30, 2001)(information on airbag systems submitted in response to agency’s request was
a voluntary submission because agency lacked legal authority to enforce its request for
information).
39 3 C.F.R. 235 (1988), reprinted in 5 U.S.C. § 552 note.
40 Exec. Order No. 12,600, § 4.
41 Lee v. FDIC, 923 F. Supp. 451, 455 (S.D.N.Y. 1996).
42 See, e.g., Tinken Co. v. U.S. Customs Serive, 491 F. Supp. 557 (D.D.C. 1980).
CRS-11
Legislative Responses
FOIA Exemption in the Administration’s Proposal for
Homeland Security
The Bush Administration took its support a step further in its legislative
proposal establishing the new Department of Homeland Security by proposing to
exempt from disclosure under FOIA critical infrastructure information voluntarily
submitted to the government by non-federal entities. Section 204 of the proposal
stated:
Information provided voluntarily by non-federal entities or individuals that
relates to infrastructure vulnerabilities or other vulnerabilities to terrorism
and is or has been in the possession of the Department [of Homeland
Security] shall not be subject to section 552 of title 5, United States Code.
This proposed language did not provide additional specificity, and was criticized by
the FOIA requester community as “cast[ing] a shroud of secrecy over one of the
Department of Homeland Security’s critical functions, critical infrastructure
protection.”43
FOIA Exemptions in Homeland Security Proposals
When the President’s legislative proposal was reported out of the House Select
Committee on Homeland Security as H.R. 5005 (Armey), the FOIA exemption was
modified and included in a separate subtitle (Title VII, Subtitle C, sections 721 -
724).44 The Senate Government Affairs Committee, too, voted to add a FOIA
exemption to its bill S. 2452 (Lieberman, section 198) establishing a Department of
Homeland Security. The FOIA provision in S. 2452 is not as detailed as the House
bill. A brief discussion of the FOIA exemptions in the two homeland security bills
follows. A comparison of the language regarding FOIA exemptions is included in
the CRS Report RL31513, Homeland Security: Side-By-Side Comparison of H.R.
5005 and S. 2452, 107th Congress.
43 David, Sobel, Electronic Privacy Information Center, Testimony Before House
Subcommittee on Oversight and Investigation on “Creating the Department of Homeland
Security: Consideration of Administration’s Proposal.” (July 9, 2002).
44 On the House floor, two amendments to this section of the bill were offered. Amendment
No. 24 would have eliminated Subtitle C entirely. Amendment No. 25 would have amended
the definition of “covered agency” to include not just the Department of Homeland Security,
but any other agency designated by the Department of Homeland Security or with which the
Department shares critical infrastructure information. Both amendments failed. 148 Cong.
Rec. H5845 (July 26, 2002).
CRS-12
H.R. 5005, Title VII, Subtitle C.
Section 724 of H.R. 5005, the Homeland Security Act of 2002, exempts from
disclosure under FOIA “critical infrastructure information (including the identity of
the submitting person or entity) that is voluntarily submitted to a covered agency for
use by that agency regarding the security of critical infrastructure (as defined in the
USA PATRIOT Act)...,45 when accompanied by an express statement....” The bill
defines critical infrastructure information to mean “information not customarily in
the public domain and related to the security of critical infrastructure or protected
systems—
(A) actual, potential, or threatened interference with, attack on,
compromise of, or incapacitation of critical infrastructure or protected
systems by either physical or computer-based attack or other similar
conduct (including misuse of or unauthorized access to all types of
communications and data transmission systems) that violates federal, state,
or local law, harms interstate commerce of the United States, or threatens
public health and safety;
(B) the ability of critical infrastructures or protected systems to resist such
interference, compromise, or incapacitation, including any planned or past
assessment, projection or estimate of the vulnerability of critical
infrastructure or a protected system, including security testing, risk
evaluation thereto, risk management planning, or risk audit; or,
(C)any planned or past operational problem or solution regarding critical
infrastructure...including repair, recovery, reconstruction, insurance, or
continuity to the extent it relates to such interference, compromise, or
incapacitation.”
A “covered agency” is defined as the Department of Homeland Security. The
submission of critical infrastructure information is considered voluntary if done in
the absence of the Department of Homeland Security exercising its legal authority
to compel access to or submission of such information. Information submitted to the
Securities and Exchange Commission pursuant to section 12 (i) of the Securities and
Exchange Act of 1934 is explicitly not protected by this provision. Nor is
information disclosed or written when accompanying the solicitation of an offer or
a sale of securities, nor if the information was submitted or relied upon as the basis
for licensing or permitting determinations, or during regulatory proceedings.
Besides exempting from FOIA critical infrastructure information which has
been submitted voluntarily with the appropriate express statement to the Department
of Homeland Security, the bill also states that the information shall not be subject to
any agency rules or judicial doctrine regarding ex parte communications with
decision making officials. The bill also prohibits such information, without the
45 “Systems or assets, whether physical or virtual, so vital to the United States that the
incapacity or destruction of such systems and assets would have a debilitating impact on
security, national economic security, national public health or safety, or any combination of
those matters.” P.L. 107-56, section 1016.
CRS-13
written consent of the person or entity submitting such information in good faith,
from being used directly by the Department of Homeland Security, any other federal,
state, or local authority or any third party, in any civil action. Nor may the
information, without written consent of the person or entity submitting such
information, be used or disclosed by any officer or employee of the United States
for any purpose other than the purposes of the subtitle, except, in the furtherance of
a criminal investigation or prosecution, or when disclosed to either House of
Congress, or to the Comptroller General or other authorized General Accounting
Office official, in the conduct of official business. Furthermore, any federal official
or employee who knowingly publishes, divulges, discloses, or makes known in any
manner or to any extent not authorized by law, any protected information, is subject
to removal, imprisonment up to one year, and fines. If the information is disclosed
to state or local officials, it may not be used for any purpose other than the protection
of critical infrastructures, and it may not be disclosed under state disclosure laws.
The protections afforded protected information under this statute do not result in
waiver of any privileges or protections provided elsewhere in law. Finally, no
communication of critical infrastructure information to the Department of Homeland
Security shall be considered to be an action subject to the requirements of the Federal
Advisory Committee Act.46
For information to be considered protected, it must be accompanied with a
written marking to the effect that “this information is voluntarily submitted to the
federal government in expectation of protection from disclosure as provided by the
Critical Infrastructure Information Act of 2002 [the name given to Subtitle C].” The
Secretary is to establish procedures for handling the information once it is received.
Only those agency components or bureaus, designated by the President or the
Secretary of Homeland Security, as having a Critical Infrastructure Program may
receive critical infrastructure information from the Department.
The above protections for information voluntarily submitted by a person or
entity to the Department of Homeland Security do not limit or otherwise affect the
ability of a state, local, or federal government entity, agency or authority, or any third
party, under applicable law, to obtain critical infrastructure information (including
any information lawfully and properly disclosed generally and broadly to the public)
and to use that information in any manner permitted by law. Submittal to the
government of information or records that are protected from disclosure is not to be
construed as compliance with any requirement to submit such information to a
federal agency under any other provision of law. Finally, the bill does not expressly
create a private right of action for enforcement of any provision of the Act.
46 The Federal Advisory Committee Act (FACA) requires that the meetings of all federal
advisory committees serving executive branch entities be open to the public. The FACA
specifies nine categories of information, similar to those in FOIA, that may be permissively
relied upon to close advisory committee deliberations. 5 U.S.C. App. 2.
CRS-14
S. 2452, Section 198.
S. 2452, National Homeland Security and Combating Terrorism Act of 2002,
as agreed to by the Senate Governmental Affairs Committee on July 25, 2002,
exempts a “record” pertaining to the vulnerability of and threats to critical
infrastructure (as defined in the USA PATRIOT Act) furnished voluntarily to the
Department of Homeland Security from being made available under FOIA. A record
is covered by the bill if the provider would not customarily make the record available
to the public. It also requires the provider to designate and certify, in a manner
specified by the Department of Homeland Security, that the record is confidential
and not customarily made available to the public.
Unlike the House bill, the Senate bill does not include a definition of “critical
infrastructure information.” However, the bill covers “records pertaining to the
vulnerability of and threats to critical infrastructure (such as attacks, response, and
recovery efforts).”
A record is submitted voluntarily if it was submitted to the Department of
Homeland Security “in the absence of authority of the Department requiring that
record to be submitted,” and it is not submitted or used to satisfy any legal
requirement or obligation or to obtain any grant, permit, benefit47, or other approval
from the federal government.
Agencies with which the Department of Homeland Security shares protected
records are bound by the FOIA exemption. FOIA requests for protected information
must be referred back to the Department of Homeland Security, and the Department
may provide any portion of the record that is reasonably segregable from that part
of the record which is exempt from disclosure, after deleting the protected
information. The bill also allows the provider of a record that is furnished
voluntarily to the Department of Homeland Security to withdraw the confidential
designation at any time in a manner specified by the Department.
S. 2542 allows an agency which has received independently of the Department
a record “similar or identical” to that received by the Department, to disclose the
record under FOIA. The Senate bill does not preempt state or local disclosure laws
if the state or local authority received the information independent of the Department
of Homeland Security, nor does it contain any civil liability immunity, or criminal
penalties.
The Secretary of the Department of Homeland Security is directed to prescribe
procedures for: acknowledging the receipt of records furnished voluntarily; the
certification of records furnished voluntarily as confidential and not customarily
made available to the public; the care and storage of records furnished voluntarily;
and the protection and maintenance of the confidentiality of records furnished
voluntarily.
47 Benefits include agency forbearance, loans, or reductions or modifications of agency
penalties or rulings. Benefits do not include warnings, alerts, or other risk analysis offered
by the Department.
CRS-15
Finally, the Senate bill requires the Comptroller General to report to Congress
on the implementation and use of the above protections. The report shall include the
number of persons in the private sector and the number of state and local agencies
that furnished records voluntarily under these provisions, the number of requests for
access granted or denied under these provisions, and any recommendations regarding
improvements in the collection and analysis of sensitive information related to the
vulnerabilities of and threats to critical infrastructures.
In sum, significant differences exist between H.R. 5005 and S. 2452. These
differences include the scope of the information protection; the type of information
covered and exempted from FOIA; the definition of a voluntary submission; the
other purposes authorized for use or disclosure of the information; the disclosure of
information with the consent of the submitter; the permissibility of disclosures of
related information by other agencies; immunity from civil liability; preemption; and
criminal penalties.
Issues and Concerns
The general concerns of the owners and operators of critical infrastructure are
that the type and breadth of information they are being asked to submit on
vulnerabilities, incidents, remedies, etc., if made available to competitors or to the
general public, could harm their public relations, compromise their competitive
position, expose them to liability, or disclose sensitive information to terrorists and
others who might wish to disrupt the function of their infrastructure. It is their
position that crafting a specific exemption to FOIA in statute (i.e., a (b)(3)
exemption) would provide the greatest legal protections for the information they
share. They believe that a narrowly tailored (b)(3) exemption would eliminate
agency discretion to disclose protected information in response to a FOIA request.
In addition, given the federal government’s need to share sensitive business
information for homeland security purposes with state and local officials, owners and
operators also seek federal preemption of state and local disclosure laws. Owners
and operators are concerned that some of this information could make them subject
to liability in unforeseen ways.
A number of public interest groups have expressed their opposition to the
protections being proposed, particularly those contained in the House version.48 The
primary concern is that the type of information exempted from FOIA is too broadly
defined, and could allow any company claiming to be an owner or operator of a
critical infrastructure to voluntarily submit almost any kind of information in order
to protect the information from disclosure under the FOIA. Critics also believe the
definition adopted from the USA PATRIOT Act of critical infrastructure is too vague
in both bills.
48 Some of the groups that have expressed concern include the American Civil Liberties
Union, the Electronic Privacy Information Center, Natural Resources Defense Fund, the
Society of Professional Journalists, and the U.S. Public Interest Research Group. For a
sample of the groups that have joined in opposition and their rationales, see
[http://www.ombwatch.org/article/articleview/943/1/18/cleanwateraction.org].
CRS-16
The House bill also covers information regarding an attack, or similar conduct,
that violates law or harms interstate commerce. According to one critique, the
language “or similar conduct” and “harms interstate commerce” is broad and could
include non-criminal or inadvertent incidents that cause temporary interruption of
normal business operations.49 The criticism goes on to state that the purposes for
which the information may be used (and therefore contributing to the definition of
what kind of information may be protected) includes analysis, warning,
interdependency study, recovery, reconstitution, or “other informational purposes.”
According to the critique, “other informational purposes” covers untold amounts of
information, some of which may have been previously available to the public.
These groups also are concerned that information currently collected by various
agencies and available to the public could now be protected from disclosure if
submitted to the Department of Homeland Security initially as critical infrastructure
information. This is particularly an issue in the area of environmental law relating
to a community’s right to know.50 Both bills state that the protections are granted
“notwithstanding any other provisions of law.” Under current law (the Emergency
Planning and Community Right-to-Know Act, P.L. 99-499, 42 USC 11001-11050),
facilities handling certain toxic substances in excess of a threshold amount annually
must report to the Environmental Protection Agency and local officials the maximum
and average daily amounts of such substances that they had on hand during the
previous year; the location of such chemicals within the facility; and estimates of
how much was released into the environment as part of normal handling and
processing. In addition, in the event of an accidental release above a threshold
amount, facilities immediately must report the amount released to local officials.
The 1990 amendments to the Clean Air Act (which were passed in P.L. 101-
549, Section 301, amending 42 USC 7412) made it the duty of owners and operators
of facilities producing, processing, handling, or storing certain extremely hazardous
substances: to identify hazards that may result from releases; to design and maintain
a safe facility; and to minimize the consequences of accidental releases which do
occur. To prevent accidental releases, the Act requires facilities handling such
substances to develop “risk management plans.” Among the items included in these
plans are an accounting of any accidental releases of those substances over the
previous five years; estimates of the quantities of chemicals that might be released
in the event of an accident, including a worst-case accident; estimates of the potential
exposures to affected downwind populations; a program for preventing releases; and
an emergency response program to protect public health and the environment in the
event of a release. Under the 1990 law, public disclosure of most of this information
(which also could be released in response to FOIA requests) is required, but the
details of the off-site consequence analyses (OCA) for hypothetical accidents are not
required to be disclosed. In addition, companies may claim confidentiality for some
submitted information, provided they can support that claim.
49 Problems with S. 1456, Critical Infrastructure Information Act. National Resources
Defense Council. Although directed at the rewritten version of S. 1456 that was never
introduced, the language at issue is the same as that proposed in H.R. 5005. The critique can
be found at [http://www.ombwatch.org/info/cii/nrdcproblems.html].
50 See CRS Report RL31530, Chemical Plant Security.
CRS-17
Security concerns arose about the potential utility to terrorists of risk
management planning data, just as EPA was planning to make the plans widely
available to the public via the Internet.51 Convinced of the need for caution, EPA
agreed not to post OCA data on its website. Nevertheless, the information could be
obtained electronically using FOIA, and several public interest groups announced
that they would do so and post the data. In 1999, Congress responded by again
amending the Clean Air Act. The amended Act exempts OCA data from disclosure
under FOIA, and directs EPA to limit public disclosure as necessary to reduce risks.
EPA issued a final regulation on data access on August 4, 2000.52 It allows the
public to see paper copies of sensitive OCA information through federal reading
rooms, approximately one per state, and provides Internet access to the OCA data
elements that pose the least serious criminal risk. State and local agencies are
encouraged to provide the public with read-only access to OCA information on local
facilities. At the federal reading rooms, members of the public may read OCA
information for up to 10 facilities per calendar month and for all facilities with
potential effects in the jurisdiction of the local emergency planning committee.
State and local officials and other members of the public may share OCA
information as long as the data are not conveyed in the format of sensitive portions
of the RMP or any electronic database developed by EPA from those sections.53 A
Clinton Administration proposal to implement the final rule (66 Federal Register
4021, Jan. 17, 2001) would have allowed people to view plans of facilities outside
their local area and enhanced access for “qualified researchers.” The draft plan was
rescinded by the Bush Administration (66 Federal Register 15254, Mar. 16, 2001).
No further regulatory action has been taken to date.
Critics of the FOIA exemption for critical infrastructure information submitted
voluntarily with the appropriate express statement are concerned that the
“notwithstanding any other provision of law” clause could possibly exempt from
FOIA information about facilities handling potentially dangerous chemicals that is
currently available under the Emergency Planning and Community Right-to-Know
Act and the Clean Air Act.
Some public interest groups are concerned that the breadth of information that
could be exempted from disclosure, combined with the prohibition on use of critical
infrastructure information in any civil suit, could give owners or operators of critical
infrastructures an “unprecedented immunity” from complying with a variety of laws
(i.e., antitrust, tort, tax, civil rights, environmental, labor, consumer protection, and
health and safety laws). Another concern centers on a perceived lack of clarity on
whether information obtained independently by subpoena, for example, could be
used to bring civil suit (e.g., would a victim of chemical exposure be precluded from
51 During the mid to late 1990s, federal agencies were facilitating electronic public access
to governmental information in response to congressional directives, such as the Electronic
Freedom of Information Act, P.L.104-231, and presidential initiatives, such as “President
Clinton’s Environmental Monitoring for Public Access and Community Tracking” program.
52 65 Federal Register 48107-48133.
53 EPA Fact Sheet. “Chemical Safety Information, Site Security and Fuels Regulatory Relief
Act: Public Distribution of Off-Site Consequence Analysis Information.” EPA 550-F00-012,
Aug. 2000.
CRS-18
suing if information previously submitted to the Department of Homeland Security
was obtained independently from the company by subpoena).
Another argument made by the public interest groups is that existing FOIA
exemptions and case law offer sufficient protections to owner/operators. They cite
exemption (b)(4), which allows agencies to withhold commercial information that
is privileged or confidential, if by disclosing that information, the competitive
position of the provider is harmed or the ability of the government to continue
receiving that information is impaired. An exemption from FOIA for critical
infrastructure information, they argue, would promote government secrecy and harm
public access.
These groups are also concerned about a provision they say gives the private
sector the power to determine what information is to be protected, simply by
including an express statement of protection from disclosure on the submission to the
federal government. The criminal penalties provided for the unauthorized disclosure
of protected information are viewed by some groups as essentially an anti-
whistleblower provision designed to stifle government accountability. Another issue
raised by the groups is whether a submission of information to the government will
be treated as voluntary in situations where an agency has not exercised its authority
to compel submission. Finally, the groups take issue with the provision that
preempts state and local freedom of information laws.
The public interest groups concerned with granting specific FOIA exemptions
have expressed a guarded acceptance of the Senate version. They feel it basically
puts into statute recent FOIA case law regarding the protections afforded confidential
information submitted to government agencies under FOIA exemption 4.54
Representatives from industry have responded to some of these concerns by
stating that it is not their intent to evade current laws and regulations, but that the
extra protections are needed before they are willing to voluntarily submit information
that might be used against them later, either legally or competitively. Under the
current law, companies have no assurance that information they share with a
government agency will be treated confidentially, and agencies are not required to
commit to confidentiality at the time of disclosure. Agencies are not required to
initiate the FOIA exemption process until a FOIA request is received. When it is
received, the agency is asked to defend the information’s confidentiality, and is not
required to inform the originator if it believes it has enough information to proceed.
Industry is generally in favor of legislation that will accomplish the goal of
encouraging it to submit security-related information without fear of public
disclosure. Representatives from owners and operators have also stated that they
favor a narrow exemption so as to cover only infrastructure threat and vulnerability
information.55
54 Industry Offers Support for Scaled-Back Senate FOIA Revisions, Inside EPA (July 26,
2002).
55 Kenneth C. Watson, President Partnership for Critical Infrastructure Security, Testimony
Before House Subcommittee on Oversight and Investigation on “Creating the Department
of Homeland Security: Consideration of Administration’s Proposal.” (July 9, 2002).
(continued...)
CRS-19
Conclusion
The Senate bill, S. 2452, is scheduled for debate the week of September 2nd,
2002. If the Senate passes its Homeland Security bill, it must be conferenced with
the House bill, H.R. 5005. During conference, negotiators must reconcile two
different approaches to the protection and disclosure of critical infrastructure
information. Compelling arguments exist on both sides of the debate for and against
exempting critical infrastructure information from the Freedom of Information Act.
55 (...continued)